Russia’s Domestic Intelligence Service, the FSB, said Friday for arresting members of REvil, one of the most destructive ransomware gangs in the world.
The arrests mark the first time Russia has taken public action against one of the largest ransomware groups, which appears to have had a free hand for years to hack foreign targets, particularly in the United States, locking their computers and extorting payments. However, many experts warn that the arrests may reflect an attempt by the Kremlin to divert attention from its ongoing escalations with Ukraine.
REvil is one of the most prolific of the many groups associated with Russia that have made fortunes hacking foreign organizations. Victims included JBS, the world’s largest beef supplier, and software company Kaseya, a particularly sweeping hack that gave it access to thousands of victims. The US Treasury Department said in November that the group had received more than 200 million dollars in extortion payments.
To some extent, the arrests mark a foreign policy victory for the US, which tracks cybercriminals around the world and often works with allies to arrest and extradite them. But many cybercriminals live in Russia, which doesn’t extradite its citizens and often doesn’t arrest them for hacking foreign targets, frustrating US efforts to crack down on ransomware.
While the US has been openly skeptical of Russia’s seriousness in tackling ransomware as a global problem and left it out of a 30-country online summit on the issue, it has also repeatedly met directly with Kremlin officials to try to dissuade them to convince cybercriminals to take action against ransomware within the borders of Russia.
A White House spokesman did not immediately respond to a request for comment.
In its announcement, the FSB said its investigation was prompted by “the appeal of the relevant US authorities”.
The arrests come months after REvil appeared to have ceased operations, reportedly in the wake of the US launch their own cyberattacks against the group.
The timing of the FSB’s announcement is suspicious, cybersecurity and Russia experts said, as it appeared to have failed to make a breakthrough four days after recent US-Russia talks over a possible invasion of Moscow in Ukraine. Ukrainian government websites were attacked by an unknown perpetrator on Thursday evening. Russia has denied it was responsible, but has also denied being behind previous similar attacks that Western governments and cybersecurity experts widely believe it carried out.
Gavin Wilde, a geopolitical analyst and Russia expert at Krebs-Stamos Group, a cybersecurity firm, said the arrests appear to be strategically motivated.
“The FSB is known for making large arrests for its domestic propaganda value,” he said.
“The idea here could well be to signal some level of leverage or perspective to the US,” Wilde said.
The Russian Foreign Ministry did not immediately respond to a request for comment.
Philip Reiner, the CEO of the Institute for Security and Technology, a San Francisco think tank, behind an influential Report on how the US can fight ransomwareShe asked why the announcement hadn’t come sooner.
“While we will always welcome arrests like these and it seems some political pressure is paying off, the timing is clearly prudent while likely Russian-linked actors deface Ukrainian official websites and threaten the personal information and lives of the Ukrainian people. ” he said. “First of all great, but at the same time a spit in the face of the Russians. Why didn’t this happen in the summer when it could have happened?”